After updating to Draft: 7.4.0.5782, the ProCall client does not start and a message appears at Sophos
May 2022
ProCall Enterprise 7.4.1
ProCall Enterprise 7.4.0.5782
Information about ProCall Enterprise 7.4.1
In ProCall Release 7.4.1 () the Yealink SDK (libyealinkusbsdk.dll) for call control was no longer shipped with the installation due to the reasons listed below. Please note that even if you update from 7.4.0 to 7.4.1, the SDK will no longer be installed.
However, if you urgently need the functionality "Call control with Yealink headsets", then you can ask Yealink for the SDK (libyealinkusbsdk.dll) and copy it manually into the new subfolder "\driver\x86\Yealink" to be created in the ProCall client installation.
If you are already using version 7.4.0, you can also use this method to temporarily copy away the DLL file before updating to 7.4.1 and then copy it back after the update.
Yealink is working hard to resolve the false positive virus alerts when using "sophos Central Intercept X Advanced with XDR".
As soon as a solution is available, the SDK will also become an official part of ProCall 7 Enterprise again.
Observation
After updating the ProCall client to version 7.4.0.5782, it no longer starts.
Sophos reports "Malicious exploit ROP in estos ProCall"
Reason
In ProCall version 7.4.0.5782 the new feature "Yealink Headset HID support" is built in, for this a Yealink SDK was included.
C:\Program Files (x86)\estos\ProCall\driver\x86\Yealink → libyealinkusbsdk.dll
What has estos undertaken
We scanned the DLL with Virustotal and nothing malicious was found:
https://www.virustotal.com/gui/file/0304941c189536da808287cace6418591b64be97e044382e318f4b4bd56a8154
We have contacted Yealink, the feedback on this is still pending.
What you can do
Report it to Sophos to whitelist this DLL.
Workaround
There are the following three options:
- Create an exception in the Sophos
- A registry key can be set so that the SDK is not loaded when the ProCall client is started:
Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\SOFTWARE\ESTOS\UCServer4\CtiMain] "AVAudioExcludeHidSdk0"="Yealink"
- Delete the following folder on the client with the SDK (not update-safe):
C:\Program Files (x86)\estos\ProCall\driver\x86\Yealink